Skip to main content

How to prevent reading internal routing table?

serpent_driver
Hi there, Some weeks ago I have ModSecurity enabled and have added Comodo LiteSpeed rule set. This rule set allows to add user agents to block. Since this rule set is running i noticed a lot of blocked UAs like I have defined it, so it works like expected. But the problem is that many blocked UAs acccessed subdomains defined by cPanel like webmail.domain.com, autodiscover.domain.com and much more self created subdomains. Most of these URLs are not public, so how it is possible to read internal routing table from outside and how can it be prevented? Thank you! Michael

Comments

12 comments

Date Votes
  • cPRex Jurassic Moderator
    Hey there! Can you explain to me how those subdomains aren't public? If the subdomain is created and exists in DNS, anyone would be able to attempt a connection to it.
    0
  • serpent_driver
    Not public means subdomains either they have never been published in search engines or have password protection or don't exist anymore or have no content or have redirection and so on... You said if they are in DNS they can be connected. That's okay, but if there are subdomains like the URL to cpanel/WHM control panel or other subdomains that are created by cpanel, I am the only one who knows such URLs. To me, it looks like someone can access or can read information like routing table. For example what happend to day. Netcraft Survey Agent tries to connect to all subdomains that exist in the last 3 years, around 50 subdomains within a few hours. That can not be a coincidence.
    0
  • cPRex Jurassic Moderator
    I don't think that is the case at all, and isn't how those tools work. For example, I get CSF/LFD notifications all the time on my personal server for users trying to access domain.com/cpanel. If you do a web search for a domain name, and add "cpanel" to it, you won't see that directory come up, but it's such a common directory that the automated bots know to test that. I don't think there is any tool that is reading a routing table or other DNS structure, but it's just reading from a common list that is automatically generated.
    0
  • serpent_driver
    In case of cPanel URL your answer could sound plausible. If it would only be about URL to control panel, there wouldn't be any reason to get in panic, but it is more about control panel URL. It is about all subdomains I ever created, but I will give you another example to demonstrate that there must be any "tool" to get access to DNS information. Some month ago for testing I added some A records to DNS zone, but without creating subdomains. DNS zone only have additional A records, not more. If ModSecurity blocks access to these "faked" URLs, someone must be able to read DNS information if I am the only one who knows it. You can reproduce it by your own. Create a ModSecurity rule that blocks User Agent "Netcraft Survey Agent" and create an A record for a subdomain that doesn't exist. It could take some times, but if your watch ModSecurity Tools frequently you will find a hit. Happy New Year :)
    0
  • cPRex Jurassic Moderator
    I would also expect DNS information to be public. If you're adding an A record, that's public information as well.
    0
  • serpent_driver
    If you're adding an A record, that's public information as well.

    How can such information be public? Your reply means (for me) if I ask a server to give me all DNS information he publishes those data without to know if the one who asked is allowed to get these informationen. Some information like IP, hostname or nameserver are neccessary, but it is not okay to request the hostname like Netcraft Survey Agent does it and the server gives him ALL DNS information about domains, subdomains, A records and so on, setuped on the server. Do you think that is okay?
    0
  • cPRex Jurassic Moderator
    That's how the entire internet works - DNS information is free and public and there is no authentication required to ask another server for their records. I can connect to any system on port 53 and ask for DNS information. If you do not want the access to exist, then it should not be added in the DNS zone.
    0
  • serpent_driver
    I know how the Internet works! DNS is a elementary part of the Internet, but you seem not to understand what I am talking about. Again, how can it be possible if I request only the hostname per HTTP protokoll and my server publishes all DNS, again ALL DNS information from A to Z, everything?
    0
  • cPRex Jurassic Moderator
    There are many ways this information can be found. For example, this online tool lets you enter a hostname and it will pull all the DNS records that are available:
    0
  • serpent_driver
    Hey Hurra, we come together ;), but this tool at ultratools.com doesn't work. There are better one and I know some of them, but all of such tools publish only basic DNS information that are exclusively needed to get access to a host, but not the content of my complete zone file. And that is the problem i have with all my servers managed with cPanel/WHM. If you don't have more and better information we should stop the conversation. Thank you for your time and trying to help.
    0
  • cPRex Jurassic Moderator
    You're very welcome! While that tool may not work in all cases, it was just one example that there are ways to get those details that aren't malicious.
    0
  • serpent_driver
    To keep this thread alive, because it isn't solved, I add some information for other users that want to protect their DNS. The main topic of this thread is about: Disabling or Enabling DNS Recursion on Your Bind Server to prevent exploring all subdomains. Here are some links:
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post